#npm

3 articles

Tech Apr 1, 2026 5 min

Claude Code full source exposed via npm; OpenAI Codex token-theft flaw disclosed at the same time

A summary of how source maps bundled in the Claude Code npm package made over 510k lines of TypeScript visible, and how a branch-name command injection in OpenAI Codex could have allowed theft of GitHub tokens.

Security Claude Code OpenAI npm Supply chain

Tech Feb 24, 2026 updated 6 min

npm supply-chain worm 'SANDWORM_MODE' targets AI development environments, stealing crypto keys and CI secrets

Socket reports an active campaign using 19 malicious npm packages. It targets AI development environments such as Claude, Cursor, and VS Code, stealing SSH keys, npm tokens, and API keys, and then propagates via a worm.

npm Security Supply Chain Malware AI Development

Tech Dec 10, 2025 2 min

npm Was Broken So I Switched to pnpm [React2Shell Vulnerability]

npm install kept failing with a mysterious error while patching Next.js/React for a security vulnerability. Switching to pnpm fixed it immediately.

npm pnpm Node.js Next.js React Security Troubleshooting Experiment